Is there a standard for Trojan/Rootkit to phone home ?

Discussion in 'privacy general' started by eyes-open, Oct 25, 2005.

Thread Status:
Not open for further replies.
  1. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    I assume that regardless of what type of Trojan/Rootkit etc. may have snuck onto your machine - at some point it will want/need to open a port and reach out to someone ?

    So if you believed there was an outside possibility that you may be infected, how long would you expect to have to watch/log port activity (with netstat, Port Explorer etc.) before being reasonably sure that there is nothing that wants to call out ?

    P.S. I don't personally think I have such an issue at the moment - I just don't remember reading anything about the frequency/patterns with which such intruders try to get back out to the net ?

    Would you expect suspicious activity within for example, a week of watching logs, or is there no reliable standard ? Or is there a degree of built-in dormancy that means some malware will remain inactive for long periods of time (a month or more) before becoming active and trying to call out?
     
  2. trillion

    trillion Guest

    I'm not a super expert in this area, but from what I understand not all rootkits and trojans will just open a port, or try to call home in such a visible way. Often rootkits can remain completely hidden from any port monitoring through various techniques. So even if a rootkit (some rootkits, not all) was connecting out from your computer you wouldn't be able to tell, even when using a port monitor.

    Also some trojans hijack other programs, through dll injection techniques etc.., and can even wait till you use that program, and then send the stolen data along with the program your running (e.g. Internet Explorer) out to the internet, so you would think a legitimate program was accessing the net, but in reality the trojan was also sending out data along with it.

    Finding trojans and rootkits seems to be getting more and more difficult, so make sure you have a good updated anti-virus and maybe good anti-trojan too. It wouldn't hurt to have something like Process Guard or Antihook either to block rootkits and trojans in the first place. Of course there are many other things that can be done to stop malware too, just look around the forum for other ideas.
     
  3. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Thanks for the reply trillian.

    I had assumed that either a port that was identiable as malignant would appear in the listening ports lists. Or at least, should a port be masquerading as a legitimate service - the remote port/address would present as being inappropriate.

    Either way I figured a decent port log should have been able to pick it up.

    Looks like I'll have to do more homework :) .http://www.it-class.net/images/smile/add10.gif
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Trillion mentions some of the ways trojans can connect out. Several ways to prevent:

    1) secure the firewall and browser (or by process blocker) to stop injection techniques from bypassing those safeguards. Not so easy, as Thermite and CopyCat are successful in most cases.

    2) configure the firewall to alert to unauthorized outbound connections.

    In the trojans I've been able to test, I've noticed that most have a built in SMTP email engine, or are coded to establish an outbound connection by hijacking another application, or by using itself as a dropper, which usually copies itself to the system with another filename.

    Different ways of disabling firewalls have appeared in various articles - not all are successful. I've yet to be able to test a program that can do this.

    EDIT: for comments about rootkits, see Posts #6 and #7 below.

    I've posted a few tests in other threads - here are some that show how the firewall alerts to an unauthorized outbound attempt, beginning with the recent dfk-threat-simulator test (the firewall results given here).

    My interest in these tests is to assume the trojan/worm does get installed and to see if the firewall is successful in preventing the trojan/worm from calling out. If so, then the damage is contained within the system and does not contaminate anyone else.

    http://www.rsjones.net/dfk_fw

    http://www.rsjones.net/Bagle

    http://www.rsjones.net/Codec

    http://www.rsjones.net/DriveBySite

    http://www.rsjones.net/SoberQ


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Oct 27, 2005
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you cite a source for this? Are you aware of any trojans that can do this?

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    From Gavin (at DiamondCS) in a recent email exchange:

    Rootkits dont need to evade firewalls. They can pass straight through them by modifying things at the kernel level. This is why we are so adamant that rootkit scanners are NOT good enough. They can lead to a false sense of security. Rootkits do already exist which are not detected by any of these scanners.

     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that quote.

    I had forgotten about Hxdef, but remember now reading that all doesn't always work as planned, and certain conditions sometimes have to be met. From the FAQ:

    -------------------------------------
    4)
    Q: How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
    139/TCP or 445/TCP when target box has them open?

    A: As mentioned in 5. Backdoor section of this readme backdoor need server
    with incomming buffer larger or equal to 256 bits. And also system ports may
    not work. If you have a problem with find open port that works you can simply
    run netcat and listen on your own port. You should add this netcat port to
    Hidden Ports in inifile then.
    --------------------------------------

    Having said that, though, I note that Windows rootkits are often described as a type of trojan. See

    http://diamondcs.com.au/processguard/index.php?page=attack-rootkits

    "Rootkits are a special class of trojan."

    But it's becoming evident that rootkits need to be considered in a separate class by themselves, since their evolution is in a direction away from the traditional trojan, and ways of dealing with traditional trojans will no longer be applicable as rootkits evolve further.

    So, I will edit my comments in above posts refer to traditional trojans, where the outbound connection can be stopped by the firewall.

    I still would like to know what Trillion was specifically referring to per my question in Post #5.

    Finally, in the tests I ran, I had to permit the trojan to install.
    In the real world, of course, no one would ever let that happen, right?!
    http://www.rsjones.net/guard1.jpg

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  8. controler

    controler Guest

    I am sure by now you people have viewed the video Microsoft did on rootkits.

    If not it is nicely done. hacker defender is the rootkit mostly talked about. The version he used was the free version for demo purposes.
    Yes I know the video is almost 8 meg download but I think it is worth it.
    Talks about both usermode and kernel mode kits.
    HD sets up it's own port as listening one you don't see.
    I think we have talked about changing file names in the past. anti-keylogger was one of the first to change it's exe name randomly on boot. This was to try fool anti-anything software from searching for a set name. I talked about it and got alot of greif from posters here about that technique.
    Now we are seeing more and more programmers doing this same exact thing.
    rootkit revealer for instance does it.

    Here is the video: http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

    and here is another link thrown in just for fun:
    http://www.governmentsecurity.org/

    controler
     
  9. changing file name is considered innovative? LOL.. i thought the first thing you d with rootkits is to customise the name of the files.. same for keyloggers.

    We can always depend on Rmus to come up with a deep insightful comment.
     
  10. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    It's all good.

    I'll check out that video controler cheers.

    At this point just clarify one thing for me could you ?

    If it is a genuine Trojan/Rootkit (by that I mean one that secretly gains access to your information/services and then attempts to covertly communicate with the originators client). In order to share your information, does it not still have to use a remote address that is potentially identifiable as rogue ?

    While we're posting links - here's one from bleepingcomputer titled How Malware hides and is installed as a Service http://www.bleepingcomputer.com/tutorials/tutorial83.html#list
     
    Last edited: Oct 27, 2005
  11. controler

    controler Guest

    Why yes chaning names con fuses the rootkit. Why? because the rootkit is looking for a string with a certian name. Duh?

    Now for da firewall. Well ok ready? If it is a kernel rootkit it sits between your firwall and windows and delivers all OK info to the software firewall.
    Note I said software AD? LOL
    \

    controler
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    you can use Ethereal to see your network activity. a rootkit can't hide that can it?
     
  13. ch0pper

    ch0pper Guest

    Yes it can.
     
  14. Indeed, old hat.
     
  15. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    but if the infected machine is connected through another comp running ethereal hxdef traffic is visible.
    while ethereal on the infected computer cannot see nothing.
     
  16. controler

    controler Guest

    I think I have heard of some using VMWare and a honeypot in that way, to veiw the data on the honeypoted machine.

    So then DA, why do so many still think they are safe witha software firewall?

    con
     
  17. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    LOL i suppose that makes sense, serves me right for not thinking. i think the trick is to not install a rootkit in the first place :D
     
  18. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yeah, Processguard is another program that is good at stopping rootkits. ;)
    Since rootkits attack the operating system's kernel, a security program that protects the kernel from all the rootkits out there is a very good thing. Its so difficult to detect and destroy rootkits AFTER they attack the computer, so prevent the rootkit from ever installing in the first place to avoid all the trouble.

    A simple-looking diagram to show it all ( EXAMPLE):
    Rootkithttps://webserver.brandeis.edu/pub/Security/PhysicalProtection/thief.jpg---->PROCESSGUARDhttp://www.diamondcs.com.au/processguard/img/logo.gif (THE ROOTKIT IS BLOCKED BY PROCESSGUARD THUS STOPPING IT FROM ATTACKING THE KERNEL.)
     
    Last edited: Oct 29, 2005
  19. talltim

    talltim Guest



    So will AntiHook and that's a freebie. :)
     
  20. Because they are not as knowledgable as you?
    Of course the same people think PG can protect them from rootkits. lol.
     
  21. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Very true.

    Thanks,

    Chris
     
  22. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Can you be more specific - at which point(s) and why will PG fail to prevent the initial instillation of a rootkit ?

    Assuming basics of Global Protection & services protection are in place.

    Thanks :)
     
  23. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097

    In my opinion what can and will happen is that the user will be tricked into thinking the software is legit and allow the alert that PG displays for blocking Driver\Service installations. Of course if you never allow these then you should be fine. I'll use a program that alerts anytime an executable file is run as demonstration.

    You download game.exe and try to run it. (thinking it is the game you want.)
    You program alerts you that an executable game.exe is trying to run
    You thinking this has to be allowed to install the game Click OK.
    Game.exe turned out to be virus.exe in simple terms and now you're infected.

    So yes ProcessGuard does the job it says if you never allow driver/service installs. But if you do not investigate further and just allow the driver install since you think the program needs it to run you could become infected. And since you have PG and think you can never get a rootkit you probably don't use a rootkit detector so you will be infected and probably never have a clue.

    This is with any software though. There is no absolute in any situation. ProcessGuard is a good product don't get me wrong (I am a registered user). But it is not the end all. I'm sure you have seen in this and many other forums that best best defense is a layered defense.

    P.S. Mods please feel free to split this topic since we are now talking about PG. Thanks :)

    I hope this answered your question,

    Chris
     
  24. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    It's all good Chris and as long as We come back to....Is there a standard for Trojan/Rootkit to phone home....every once and awhile we'll be fine :ninja:
     
  25. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Chris cheers for replying.

    I agree absolutely with the layered defence, I have a decent enough set-up, but I couldn't possibly expect my mum to deal with it on her machine, Luckily her online activity is quite conservative, as is her software instillation.. For me it's a sort of hobby and learning process, so it isn't a hassle - it's part of the game.

    Also I agree you can have as many layers as possible, ain't no good if the user gives out a free pass.

    I'm still unclear about how an illegitimate program, even using a false name, can send packets to a crackers client without there being a record of a remote address somewhere.

    Sorry for being thick, its just one of those things I haven't quite got straight yet. I get how it can receive/hijack incoming packets meant for it. I get that the malignant process can appear benign and be easily missed unless you follow through and do a deeper check.

    At this point I have still to watch the video that Controler pointed me towards, although I now have it downloaded. So if it's in there I'll hopefully get a better grip.

    Cheers :)

    Edit: Bubba snuck in before I'd finished lol
     
Loading...
Thread Status:
Not open for further replies.